Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

55
Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012

TAGS:

Transcript of Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Page 1: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Stealing Passwords Remotely&

Malware Analysis

PacITProsMay 8, 2012

Page 2: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Bio

Page 3: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Summary

• HTTP & HTTPS Passwords in RAM

• Windows Logon Passwords in RAM

• Java Attacks

• Evading Antivirus

• Malware Analysis Overview

Page 4: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

HTTP & HTTPS Passwords in RAM

Page 5: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

HTTP Web Login

• HTTP Authentication: Wikipedia

Page 6: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

HTTP Web Login

• Password is transmitted over the Internet in plaintext

• Wireshark capture on next slide– Capture login– Statistics, Conversations– TCP tab– Follow Stream (with 13 packets)

Page 7: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.
Page 8: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Using HxD Freeware

Page 9: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.
Page 10: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Password Found

Page 11: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

HTTPS Web Login

Page 12: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Password Found!

Page 13: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Windows Logon Passwords in RAM

Page 14: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Windows Login Password

Page 15: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Not Found

• Windows doesn’t store login passwords in cleartext in RAM

Page 16: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Windows Credential Editor

Written by Hernan Ochoa, 2011

Page 17: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.
Page 18: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.
Page 19: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Passwords are Encrypted

• But the Keys are in RAM

Page 20: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Java Attacks

Page 21: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.
Page 22: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.
Page 23: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.
Page 24: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.
Page 25: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.
Page 26: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

This Attack is Not Counted in Those Graphs

• The attack I am demonstrating does not rely on any of those vulnerabilities

• This is Java operating as intended• Works on fully updated Java• No patch can be expected

Page 27: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Social-Engineer Toolkit

• In BackTrack Linux

Page 28: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

User Sees This Warning

Page 29: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Stolen Password!

Page 30: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Evading Antivirus

Page 31: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Effectiveness of AV Evasion

Page 32: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Countermeasures

• Disable Java• Don’t use Adobe products• Antivirus helps some• Antivirus + Deep Freeze helps a LOT• BUT DON’T TRUST ANY COUNTERMEASURE

– They are all easily bypassed

Page 33: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Malware Analysis

Page 34: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Techniques

• Basic Static Analysis: File, Strings, and AV• Basic Dynamic Analysis: RegShot, Wireshark,

Process Monitor, LordPE• Advanced Static Analysis: IDA Pro• Advanced Dynamic Analysis: Debuggers (not

included in this talk)

Page 35: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Basic Static Analysis

Page 36: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Harvesting Malware from Packet Captures with Wireshark

Page 37: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Save As

Page 38: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

File

Page 39: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Strings

Page 40: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Basic Dynamic Analysis

Run Malware in a Virtual Machine

Page 41: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Process Monitor

Page 42: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

RegShot

Page 43: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

RegShot Results

Page 44: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Process Monitor Results

Page 45: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Packed Executables

• .exe file lacks readable strings• When executed, the file unpacks itself into

RAM and runs there• Solution: Analyze the RAM, not the hard disk

file

Page 46: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

LordPE

Page 47: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.
Page 48: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Advanced Static Analysis

IDA Pro

Page 49: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Disassembler

Page 50: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Mind-Boggling Complexity

Page 51: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Skip Details

Page 52: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Module A: Compare, Jump

Page 53: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Module C: Usage Instructions

Page 54: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

C Source Code

Page 55: Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Solution


A Crawler-based Study of Spyware on the Web · 2015-01-02 · pop-up ads, stealing the victim’s financial information or passwords, or rendering the victim’s computer useless.

A Crawler-based Study of Spyware on the Web · 2015-01-02 · pop-up ads, stealing the victim’s financial information or passwords, or rendering the victim’s computer useless.

stealing time!!

stealing time!!

WORK STEALING SCHEDULER 6/16/2010 Work Stealing Scheduler 1.

WORK STEALING SCHEDULER 6/16/2010 Work Stealing Scheduler 1.

3d passwords

3d passwords

Graphical Passwords

Graphical Passwords

AVG Identity Protectionaa-download.avg.com/.../AVG_Identity_Protection/avg...AVG Identity Protection is focused on preventing identity thieves from stealing your passwords, bank account

AVG Identity Protectionaa-download.avg.com/.../AVG_Identity_Protection/avg...AVG Identity Protection is focused on preventing identity thieves from stealing your passwords, bank account

Security Awareness Passwords - Illinois.gov · 3 Passwords Password Cracking Find weak passwords Verify the use of good passwords Characters (complex) Estimated time to crack 7 15

Security Awareness Passwords - Illinois.gov · 3 Passwords Password Cracking Find weak passwords Verify the use of good passwords Characters (complex) Estimated time to crack 7 15

Passwords & security

Passwords & security

Stealing Passwords With Wireshark · Web viewRestoring the Wireless Router to Factory Default Settings Get the blue Linksys BEFW11S4 router from the closet. Plug in the power cord.

Stealing Passwords With Wireshark · Web viewRestoring the Wireless Router to Factory Default Settings Get the blue Linksys BEFW11S4 router from the closet. Plug in the power cord.

Kes Stealing Time

Kes Stealing Time

Cookie Stealing

Cookie Stealing

Stealing the Preacher

Stealing the Preacher

Stealing proverbs

Stealing proverbs

Idempotent Work Stealing

Idempotent Work Stealing

UNDERSTANDING PASSWORDS

UNDERSTANDING PASSWORDS

Using Hamiltonian Totems as Passwords Abstract 1 Visual passwords

Using Hamiltonian Totems as Passwords Abstract 1 Visual passwords

SAMPLE REPORT - AteaA bot is malicious software that invades your computer. Bots allow criminals to remotely control your computer to execute illegal activities such as stealing data,

SAMPLE REPORT - AteaA bot is malicious software that invades your computer. Bots allow criminals to remotely control your computer to execute illegal activities such as stealing data,

(GOT YOUR NOSE) · (got your nose) (Offensive Talk) We'll mainly see attack vectors today Starting simple – using cheap HTTP tricks Stealing passwords with CSS Almost like the Sexy

(GOT YOUR NOSE) · (got your nose) (Offensive Talk) We'll mainly see attack vectors today Starting simple – using cheap HTTP tricks Stealing passwords with CSS Almost like the Sexy

Stealing a Nation

Stealing a Nation

A Saudi Aramco Publication Issue 1 - 2019 panorama€¦ · panorama. Unique passwords are critical to protecting your data, especially with recent reports of hackers stealing data

A Saudi Aramco Publication Issue 1 - 2019 panorama€¦ · panorama. Unique passwords are critical to protecting your data, especially with recent reports of hackers stealing data